CVE-2025-27507

Name of the Vulnerable Software and Affected Versions Zitadel versions prior to 2.71.0 Zitadel versions prior to 2.70.1 Zitadel versions prior to 2.69.4 Zitadel versions prior to 2.68.4 Zitadel versions prior to 2.67.8 Zitadel versions prior to 2.66.11 Zitadel versions prior to 2.65.6 Zitadel versions prior to 2.64.5 Zitadel versions prior to 2.63.8

Description The open-source identity infrastructure software Zitadel's Admin API contains Insecure Direct Object Reference (IDOR) vulnerabilities, allowing authenticated users without specific IAM roles to modify sensitive settings. The most critical vulnerability lies in the ability to manipulate LDAP configurations. Customers who do not utilize LDAP for authentication are not at risk from the most severe aspects of this vulnerability. However, upgrading to the patched version is strongly recommended to address all identified issues. Several endpoints are affected, including /idps/ldap and /idps/ldap/{id}, which could allow unauthorized users to modify ZITADEL's instance LDAP settings or expose the original LDAP server's password. Other affected endpoints include /idps/templates/ search, /idps/templates/{id}, /policies/label/ activate, /policies/label/logo, /policies/label/logo dark, /policies/label/icon, /policies/label/icon dark, /policies/label/font, /text/message/passwordless registration/{language}, and /text/login/{language}, potentially allowing unauthorized modification of instance settings. The impact of this vulnerability varies depending on whether a ZITADEL instance utilizes LDAP for authentication, with successful exploitation potentially leading to complete takeover of user accounts and exposure of the LDAP server's password for LDAP users, and unauthorized modification of instance settings for non-LDAP users. Over 2.8K services are found to be potentially affected.

Recommendations To resolve the issue, upgrade to the patched version 2.71.0 or later for 2.x versions. To resolve the issue, upgrade to the patched version 2.70.1 or later for 2.70.x versions. To resolve the issue, upgrade to the patched version 2.69.4 or later for 2.69.x versions. To resolve the issue, upgrade to the patched version 2.68.4 or later for 2.68.x versions. To resolve the issue, upgrade to the patched version 2.67.8 or later for 2.67.x versions. To resolve the issue, upgrade to the patched version 2.66.11 or later for 2.66.x versions. To resolve the issue, upgrade to the patched version 2.65.6 or later for 2.65.x versions. To resolve the issue, upgrade to the patched version 2.64.5 or later for 2.64.x versions. To resolve the issue, upgrade to the patched version 2.63.8 or later for 2.63.x versions. As a temporary workaround, consider restricting access to the vulnerable endpoints, such as /idps/ldap and /idps/ldap/{id}, to minimize the risk of exploitation.